For performing a secure transmission of data from a token to a service provider server, authentication mechanism such as the “General Authentication Procedure” ensures privacy of a token's end-user, but may be difficult to deploy for a service provider server. To simplify such deployment, a service provider server may delegate authentication to an identity provider server, which will perform the authentication on its behalf. However, one problem of this prior art is that in this case the identity provider server is a hotspot for data read from the token, as many service provider servers may delegate authentication to this identity provider server. Such data may be linked together, which could compromise the end-user's privacy.